backend-common: remove deprecated HTTPS config
This commit is contained in:
Patrik Oldsberg
@@ -0,0 +1,5 @@
|
||||
---
|
||||
'@backstage/backend-common': minor
|
||||
---
|
||||
|
||||
Remove support for HTTPS certificate generation parameters. Use `backend.https = true` instead.
|
||||
Vendored
+10
-25
@@ -41,31 +41,16 @@ export interface Config {
|
||||
https?:
|
||||
| true
|
||||
| {
|
||||
/**
|
||||
* Certificate configuration or parameters for generating a self-signed certificate
|
||||
*
|
||||
* Setting parameters for self-signed certificates is deprecated and will be removed in
|
||||
* the future, set `backend.https = true` instead.
|
||||
*/
|
||||
certificate?:
|
||||
| {
|
||||
/** Algorithm to use to generate a self-signed certificate */
|
||||
algorithm?: string;
|
||||
keySize?: number;
|
||||
days?: number;
|
||||
attributes: {
|
||||
commonName: string;
|
||||
};
|
||||
}
|
||||
| {
|
||||
/** PEM encoded certificate. Use $file to load in a file */
|
||||
cert: string;
|
||||
/**
|
||||
* PEM encoded certificate key. Use $file to load in a file.
|
||||
* @visibility secret
|
||||
*/
|
||||
key: string;
|
||||
};
|
||||
/** Certificate configuration */
|
||||
certificate?: {
|
||||
/** PEM encoded certificate. Use $file to load in a file */
|
||||
cert: string;
|
||||
/**
|
||||
* PEM encoded certificate key. Use $file to load in a file.
|
||||
* @visibility secret
|
||||
*/
|
||||
key: string;
|
||||
};
|
||||
};
|
||||
|
||||
/** Database connection configuration, select database type using the `client` field */
|
||||
|
||||
@@ -22,23 +22,8 @@ export type BaseOptions = {
|
||||
listenHost?: string;
|
||||
};
|
||||
|
||||
export type CertificateOptions = {
|
||||
key?: CertificateKeyOptions;
|
||||
attributes?: CertificateAttributeOptions;
|
||||
};
|
||||
|
||||
export type CertificateKeyOptions = {
|
||||
size?: number;
|
||||
algorithm?: string;
|
||||
days?: number;
|
||||
};
|
||||
|
||||
export type CertificateAttributeOptions = {
|
||||
commonName?: string;
|
||||
};
|
||||
|
||||
export type HttpsSettings = {
|
||||
certificate: CertificateSigningOptions | CertificateReferenceOptions;
|
||||
certificate: CertificateGenerationOptions | CertificateReferenceOptions;
|
||||
};
|
||||
|
||||
export type CertificateReferenceOptions = {
|
||||
@@ -46,11 +31,8 @@ export type CertificateReferenceOptions = {
|
||||
cert: string;
|
||||
};
|
||||
|
||||
export type CertificateSigningOptions = {
|
||||
algorithm?: string;
|
||||
size?: number;
|
||||
days?: number;
|
||||
attributes: CertificateAttributes;
|
||||
export type CertificateGenerationOptions = {
|
||||
hostname: string;
|
||||
};
|
||||
|
||||
export type CertificateAttributes = {
|
||||
@@ -196,20 +178,14 @@ export function readHttpsSettings(config: Config): HttpsSettings | undefined {
|
||||
const https = config.get('https');
|
||||
if (https === true) {
|
||||
const baseUrl = config.getString('baseUrl');
|
||||
let commonName;
|
||||
let hostname;
|
||||
try {
|
||||
commonName = new URL(baseUrl).hostname;
|
||||
hostname = new URL(baseUrl).hostname;
|
||||
} catch (error) {
|
||||
throw new Error(`Invalid backend.baseUrl "${baseUrl}"`);
|
||||
}
|
||||
|
||||
return {
|
||||
certificate: {
|
||||
attributes: {
|
||||
commonName,
|
||||
},
|
||||
},
|
||||
};
|
||||
return { certificate: { hostname } };
|
||||
}
|
||||
|
||||
const cc = config.getOptionalConfig('https');
|
||||
|
||||
@@ -20,10 +20,12 @@ import express from 'express';
|
||||
import * as http from 'http';
|
||||
import * as https from 'https';
|
||||
import { Logger } from 'winston';
|
||||
import { CertificateSigningOptions, HttpsSettings } from './config';
|
||||
import { HttpsSettings } from './config';
|
||||
|
||||
const ALMOST_MONTH_IN_MS = 25 * 24 * 60 * 60 * 1000;
|
||||
|
||||
const IP_HOSTNAME_REGEX = /:|^\d+\.\d+\.\d+\.\d+$/;
|
||||
|
||||
/**
|
||||
* Creates a Http server instance based on an Express application.
|
||||
*
|
||||
@@ -59,17 +61,17 @@ export async function createHttpsServer(
|
||||
|
||||
let credentials: { key: string | Buffer; cert: string | Buffer };
|
||||
|
||||
const signingOptions: any = httpsSettings?.certificate;
|
||||
|
||||
// TODO(Rugvip): remove support for generated certificate params and make this a more straightforward check
|
||||
if (signingOptions?.attributes) {
|
||||
credentials = await getGeneratedCertificate(signingOptions, logger);
|
||||
if ('hostname' in httpsSettings?.certificate) {
|
||||
credentials = await getGeneratedCertificate(
|
||||
httpsSettings.certificate.hostname,
|
||||
logger,
|
||||
);
|
||||
} else {
|
||||
logger?.info('Loading certificate from config');
|
||||
|
||||
credentials = {
|
||||
key: signingOptions?.key,
|
||||
cert: signingOptions?.cert,
|
||||
key: httpsSettings?.certificate?.key,
|
||||
cert: httpsSettings?.certificate?.cert,
|
||||
};
|
||||
}
|
||||
|
||||
@@ -80,16 +82,7 @@ export async function createHttpsServer(
|
||||
return https.createServer(credentials, app) as http.Server;
|
||||
}
|
||||
|
||||
async function getGeneratedCertificate(
|
||||
options: CertificateSigningOptions,
|
||||
logger?: Logger,
|
||||
) {
|
||||
if (options?.algorithm) {
|
||||
logger?.warn(
|
||||
'Certificate generation configuration with parameters in backend.https.certificate is deprecated, set backend.https = true instead',
|
||||
);
|
||||
}
|
||||
|
||||
async function getGeneratedCertificate(hostname: string, logger?: Logger) {
|
||||
const hasModules = await fs.pathExists('node_modules');
|
||||
let certPath;
|
||||
if (hasModules) {
|
||||
@@ -119,20 +112,61 @@ async function getGeneratedCertificate(
|
||||
}
|
||||
|
||||
logger?.info('Generating new self-signed certificate');
|
||||
const newCert = await createCertificate(options);
|
||||
const newCert = await createCertificate(hostname);
|
||||
await fs.writeFile(certPath, newCert.cert + newCert.key, 'utf8');
|
||||
return newCert;
|
||||
}
|
||||
|
||||
async function createCertificate(options: CertificateSigningOptions) {
|
||||
const attributes: Array<any> = Object.entries(
|
||||
options.attributes,
|
||||
).map(([name, value]) => ({ name, value }));
|
||||
async function createCertificate(hostname: string) {
|
||||
const attributes = [
|
||||
{
|
||||
name: 'commonName',
|
||||
value: 'dev-cert',
|
||||
},
|
||||
];
|
||||
|
||||
const sans = [
|
||||
{
|
||||
type: 2, // DNS
|
||||
value: 'localhost',
|
||||
},
|
||||
{
|
||||
type: 2,
|
||||
value: 'localhost.localdomain',
|
||||
},
|
||||
{
|
||||
type: 2,
|
||||
value: '[::1]',
|
||||
},
|
||||
{
|
||||
type: 7, // IP
|
||||
ip: '127.0.0.1',
|
||||
},
|
||||
{
|
||||
type: 7,
|
||||
ip: 'fe80::1',
|
||||
},
|
||||
];
|
||||
|
||||
// Add hostname from backend.baseUrl if it doesn't already exist in our list of SANs
|
||||
if (!sans.find(({ value, ip }) => value === hostname || ip === hostname)) {
|
||||
sans.push(
|
||||
IP_HOSTNAME_REGEX.test(hostname)
|
||||
? {
|
||||
type: 7,
|
||||
ip: hostname,
|
||||
}
|
||||
: {
|
||||
type: 2,
|
||||
value: hostname,
|
||||
},
|
||||
);
|
||||
}
|
||||
|
||||
const params = {
|
||||
algorithm: options?.algorithm || 'sha256',
|
||||
keySize: options?.size || 2048,
|
||||
days: options?.days || 30,
|
||||
algorithm: 'sha256',
|
||||
keySize: 2048,
|
||||
days: 30,
|
||||
extensions: [
|
||||
{
|
||||
name: 'keyUsage',
|
||||
@@ -151,36 +185,7 @@ async function createCertificate(options: CertificateSigningOptions) {
|
||||
},
|
||||
{
|
||||
name: 'subjectAltName',
|
||||
altNames: [
|
||||
{
|
||||
type: 2, // DNS
|
||||
value: 'localhost',
|
||||
},
|
||||
{
|
||||
type: 2,
|
||||
value: 'localhost.localdomain',
|
||||
},
|
||||
{
|
||||
type: 2,
|
||||
value: '[::1]',
|
||||
},
|
||||
{
|
||||
type: 7, // IP
|
||||
ip: '127.0.0.1',
|
||||
},
|
||||
{
|
||||
type: 7,
|
||||
ip: 'fe80::1',
|
||||
},
|
||||
...(options.attributes.commonName
|
||||
? [
|
||||
{
|
||||
type: 2, // DNS
|
||||
value: options.attributes.commonName,
|
||||
},
|
||||
]
|
||||
: []),
|
||||
],
|
||||
altNames: sans,
|
||||
},
|
||||
],
|
||||
};
|
||||
|
||||
Reference in New Issue
Block a user